1

what should I do to make my RSA signatures secure? If "plaintext RSA" is not secure, is there some sort of "RSA on steroids" I am not aware of? Could anybody tell me what is it?

I read a Wikipedia article "Digital signature". In the "History" chapter we can see:

...Soon afterwards, Ronald Rivest, Adi Shamir, and Len Adleman invented the RSA algorithm, which could be used to produce primitive digital signatures (although only as a proof-of-concept – "plain" RSA signatures are not secure

I searched for "rsa signature is not secure" but didn't find anything legible. Does anybody know why are RSA signatures are not secure and how can I make it secure by not doing "plain" signatures? Are there any tricks? The thing is that recently I implemented RSA in my code for my project and was so excited to see that I can sign and verify things with RSA...

shal
  • 207
  • 1
  • 2
  • 6
  • Search for "textbook RSA", which is a more common name what that quote calls "plain RSA". – CodesInChaos Dec 25 '17 at 10:39
  • You should either use Full-Domain-Hash or PSS padding for RSA signatures. – CodesInChaos Dec 25 '17 at 10:40
  • Ilmari, that page describes insecurities of RSA... But what can be done to prevent it? What is "not a plaintext RSA"? Is there some kind of "RSA on Steroids" I am not aware of? – shal Dec 25 '17 at 14:33
  • The section 'Some digital signature algorithms' further down that page links to RSA-PSS among others. Even RSASSA-PKCS1-v1_5 (signature) is still secure in practice (if correctly implemented) although not provably and it is no longer preferred. In contrast RSAES-PKCS1-v1_5 (encryption) is broken in many practical cases by an attack due to Bleichenbacher (who is easy to google). Related: https://crypto.stackexchange.com/questions/20085/which-attacks-are-possible-against-raw-textbook-rsa – dave_thompson_085 Dec 26 '17 at 04:15

2 Answers2

6

The main modern standard RSA-based signature scheme is RSASSA-PSS in PKCS#1 v2, also standardized as IETF RFC 8017 (v2.2, obsoletes v2.1 in RFC 3447). This is a variant of PSS proposed and analyzed by Bellare and Rogaway in 1996.

Beware: RSASSA-PSS as standardized by RSA, Inc., in the early 2000s, around the same time as Dual_EC_DRBG,* is vulnerable to collisions in the underlying hash function by virtue of using $H(r \mathbin\Vert H(m))$, instead of $H(r \mathbin\Vert m)$, which would have required of $H$ the much more modest security property (enhanced) target collision resistance. This vulnerability to collisions led to a technique for practical HTTPS certificate forgery by academics, and to a different technique for certificate forgery used in an international incident of industrial sabotage by the United States and Israel against Iran.

If you need to get code running right now and for some reason you need to use RSA, that's the practical answer. If you need to get code running right now but you don't actually need to use RSA, use Ed25519 instead—except for verification speed, it is an all-around faster, safer, and compacter signature scheme.

If you are studying existing code or an existing protocol that was not designed by a competent cryptographer, and you are wondering whether it uses a state-of-the-art signature scheme, you should expect it to use either RSASSA-PSS or PKCS#1 v1.5 signature. If it doesn't, your eyebrows should be raised and whoever designed it has some justifyin' to do.

If you are intellectually absorbed by the wonders of the world of cryptography, or if like me you're a bone-eating vulture who likes blathering at strangers on the internet about things you've learned, then you should also know about full-domain hash, which was discarded essentially for political reasons among cryptographers but is easy to implement and instantiate with modern XOFs like SHAKE256, and Rabin–Williams signatures, which are more efficient with a tighter security reduction. But make sure you know what you're trying to achieve before you go down that rabbit hole!

* I have no evidence to support a connection here, but coincidences like these are remarkably good at playing evidence in games of charades at parties.

Community
  • 1
Squeamish Ossifrage
  • 48,392
  • 3
  • 116
  • 223
  • Do you have a link to the spec of that different RSASSA-PSS standardized in the early 2000s? – fgrieu Dec 26 '17 at 20:52
  • 1
    @fgrieu No, I just mean the standard RSASSA-PSS we all know and love, or love to hate, is designed this way. In a little more detail: the message $M$ figures in via $H(0^{64} \mathbin\Vert H(M) \mathbin\Vert \mathit{salt})$. (See p. 37 of PKCS#1 v2.2, or p. 43 of RFC 8017.) If it had instead been $H(0^{64} \mathbin\Vert \mathit{salt} \mathbin\Vert M)$, then there would be no need for collision resistanc (unless the entropy source used to generate $\mathit{salt}$ is predictable). – Squeamish Ossifrage Dec 26 '17 at 20:56
  • Understood. Indeed, entering an unpredictable value early in the data of a hash used for signature lessens the pressure on the hash. – fgrieu Dec 27 '17 at 12:43
  • @SqueamishOssifrage, I just need signing system in my project, the only condition is that it must be secure, so I go for Ed25519. Thank you for help! – shal Dec 31 '17 at 09:42
-1

When talking about "plain" RSA, it is referencing standard RSA without any sort of random padding. https://en.m.wikipedia.org/wiki/Optimal_asymmetric_encryption_padding talks about this OAEP type of RSA. Problems with the plain format include that it is malleable and deterministic. OAEP solves these problems.

Jackoson
  • 133
  • 4
  • 6
    OAEP is padding for encryption, hence the name '... Encryption Padding'. The equivalent for signature is Probablistic Signature Scheme PSS as explained by Squeamish. – dave_thompson_085 Dec 26 '17 at 04:10